Help Center/ Virtual Private Cloud/ User Guide/ VPC Flow Log/ VPC Flow Log Configuration Examples/ Viewing the Traffic Between VPCs Connected by a VPC Peering Connection
Updated on 2025-07-25 GMT+08:00
View PDF
Share

Viewing the Traffic Between VPCs Connected by a VPC Peering Connection

Solution Architecture

In this example, a VPC peering connection Peer-AB is used to enable communications between two VPCs (VPC-A and VPC-B). If O&M engineers need to view the traffic between the two VPCs, you can create a VPC flow log and collect the flow log of VPC-A.

Figure 1 Viewing traffic between VPCs connected by a VPC peering connection

Constraints

For details about the restrictions on flow logs, see Constraints.

Resource Planning

In this example, the VPCs, subnets, ECSs, VPC peering connection, and VPC flow log must be in the same region but can be in different AZs.

The following resource details are only for your reference. You can modify them if needed.

Table 1 Resource planning

Resource

Quantity

Description

VPC and subnet

VPC: 2

Subnet: 2
  • Name: Set it as needed. In this example, VPC-A and VPC-B are used.
  • IPv4 CIDR Block (VPC): Set it as needed. In this example, 192.168.0.0/16 is used for VPC-A, and 172.16.0.0/16 is used for VPC-B.
  • Subnet Name: Set it as needed. In this example, Subnet-A01 and Subnet-B01 are used.
  • IPv4 CIDR Block (Subnet): Set it as needed. In this example, the CIDR block of Subnet-A01 is 192.168.0.0/24 and that of Subnet-B01 is 172.16.0.0/24.
  • Route table: A VPC comes with a default route table. In this example, the default route table of VPC-A is rtb-VPC-A, and that of VPC-B is rtb-VPC-B.

ECS

2
Configure the two ECSs as follows:
  • ECS Name: Set it as needed. In this example, the ECSs are named ECS-01 and ECS-02.
  • ECS flavor: In this example, flow logs of the network interface attached to ECS-01 are collected. Select the ECS flavor that supports flow logs. For details, see Constraints. There are no such restrictions on selecting the flavor for ECS-02.
  • Image: Set it as needed. In this example, public image Huawei Cloud EulerOS 2.0 Standard 64 bit is used.
  • System Disk: In this example, a general-purpose SSD disk of 40 GiB is used.
  • Data Disk: Set it as needed. In this example, no data disk is used.
  • Network
    • VPC: Select your required VPC. In this example, select VPC-A for ECS-01 and VPC-B for ECS-02.
    • Subnet: Select your required subnet. In this example, select Subnet-A01 for ECS-01 and Subnet-B01 for ECS-02.
  • Security Group: In this example, the two ECSs are associated with the same security group (Sg-X). Ensure that all rules in Table 2 are added.

    If the ECSs are associated with different security groups, you also need to add additional rules.

    For example, if ECS-01 is associated with Sg-X and ECS-02 is associated with Sg-A, add the rules in Table 3 to Sg-X and Sg-A to allow the two ECSs to communicate with each other.

  • EIP: Select Not required.
  • Private IP address: In this example, use 192.168.0.66 for ECS-01 and 172.16.0.31 for ECS-02.

VPC peering connection

1
  • VPC Peering Connection Name: Set it as needed. In this example, Peering-AB is used.
  • Local VPC: Set it as planned. In this example, select VPC-A with the CIDR block of 192.168.0.0/16.
  • Account: Set it as planned. In this example, select My account, indicating that the VPCs connected by the VPC peering connection are in the same account.
  • Peer VPC: Set it as planned. In this example, select VPC-B with the CIDR block of 172.16.0.0/16.
  • Routes: After the VPC peering connection is created, you need to add routes to the route tables of the local and peer VPCs to connect them. For details about the required routes in this example, see Table 4.

VPC flow log

1
  • Name: Set it as needed. In this example, name it flowlog-A.
  • Resource Type: In this example, set it to VPC.
  • Resource: Select a resource as needed. In this example, select VPC-A with the CIDR block of 192.168.0.0/16.
  • Filter: Select All traffic in this example.
  • Log Group: Select an existing or create a log group. The log group of this example is as follows:
    • Log Group Name: Set it as needed. In this example, lts-group-A is used.
    • Log Retention (Days): Set it as needed. In this example, 30 is used.
  • Log Stream: Select an existing or create a log stream. The log stream of this example is as follows:
    • Log Group Name: In this example, the log group name is lts-group-A.
    • Log Stream Name: Set it as needed. In this example, lts-topic-A is used.
    • Log Storage: You are advised to enable this function for log search and analysis.
    • Log Retention (Days): Set it as needed. In this example, 30 is used.
Table 2 Security group Sg-X rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

TCP: 22

Source: 0.0.0.0/0

Allows remote logins to Linux ECSs over SSH port 22.

Inbound

Allow

IPv4

TCP: 3389

Source: 0.0.0.0/0

Allows remote logins to Windows ECSs over RDP port 3389.

Inbound

Allow

IPv4

All

Source: current security group (Sg-X)

Allows the ECSs in Sg-X to communicate with each other using IPv4 addresses.

Inbound

Allow

IPv6

All

Source: current security group (Sg-X)

Allows the ECSs in Sg-X to communicate with each other using IPv6 addresses.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows ECSs in Sg-X to access the external networks using IPv4 addresses.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows ECSs in Sg-X to access the external networks using IPv6 addresses.

If the source of an inbound rule is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to your instances. Exposing port 22 or 3389 to the public network will leave your instances vulnerable to network risks. To address this issue, set the source to a trusted IP address, for example, the IP address of your local PC.

Table 3 Rules of security groups Sg-X and Sg-A

Security Group

Direction

Action

Type

Protocol & Port

Source

Description

Sg-X

Inbound

Allow

IPv4

All

Security group Sg-A

Allows IPv4 traffic from ECSs in Sg-A to reach ECSs in Sg-X.

Sg-A

Inbound

Allow

IPv4

All

Security group Sg-X

Allows IPv4 traffic from ECSs in Sg-X to reach ECSs in Sg-A.
Table 4 VPC route tables

VPC Name

Route Table

Destination

Next Hop Type

Next Hop

Route Type

VPC-A

Default route table: rtb-VPC-A

VPC-B CIDR block: 172.16.0.0/16

VPC peering connection

Peering-AB

Custom

VPC-B

Default route table: rtb-VPC-B

VPC-A CIDR block: 192.168.0.0/16

VPC peering connection

Peering-AB

Custom

Procedure

Figure 2 shows the process for viewing the traffic between ECSs in different VPCs.

Figure 2 Process for viewing traffic between VPCs connected by a VPC peering connection

Step 1: Create Cloud Resources

  1. Create two VPCs, each with a subnet.

    For details, see Creating a VPC and Subnet.

  2. Create two ECSs.

    For details, see Purchasing a Custom ECS.

  3. Create a VPC peering connection and add routes to the route tables of the two VPCs.

Step 2: Create a VPC Flow Log

  1. Create a log group and log stream on the LTS console.

    For details about how to create a log group, see Creating a Log Group.

    For details about how to create a log stream, see Creating a Log Stream.

  2. Create a VPC flow log.

    For details, see Creating a VPC Flow Log.

Step 3: View the VPC Flow Log

The flow log collects the information about the traffic flowing through VPC-A.

  1. Remotely log in to ECS-01 in VPC-A.

    For details, see How Do I Log In to My ECS?

  2. Ping ECS-02 in VPC-B from ECS-01 in VPC-A and collect logs:

    ping <private-IP-address-of-ECS-02>

    Example command:

    ping 172.16.0.31

    Information similar to the following is displayed. You can view the flow log records in about 10 minutes. Do not stop the ping command during flow log collection. 
    [root@ecs-01 ~]# ping 172.16.0.31
PING 172.16.0.31 (172.16.0.31) 56(84) bytes of data.
64 bytes from 172.16.0.31: icmp_seq=1 ttl=63 time=0.510 ms
64 bytes from 172.16.0.31: icmp_seq=2 ttl=63 time=0.392 ms
64 bytes from 172.16.0.31: icmp_seq=3 ttl=63 time=0.332 ms
...
  3. Wait for about 10 minutes and view the VPC flow log information by referring to Viewing a VPC Flow Log.

    You can enter the IP address (172.16.0.31) of ECS-02 in the search box to quickly filter the logs of the communication between ECS-01 and ECS-02.

    Figure 3 Viewing logs
    The flow log record is in the following format: 
    <version> <project-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
    • Example log: 1 857dcccea8644ce1abcfc57b6474c5ad 10b6d5df-8abe-4bc5-85ba-f01ce445dacc 192.168.0.66 172.16.0.31 8 0 1 258 25284 1740022820 1740023420 ACCEPT OK
    • Log description: The VPC flow log version is 1. The log shows that 258 echo request packets (type=8,code=0) were sent from the source (192.168.0.66) to the destination (172.16.0.31) via the network interface 10b6d5df-8abe-4bc5-85ba-f01ce445dacc using ICMP (protocol=1) during 11:40:20 to 11:50:20 (10 minutes), on February 20, 2025. The size of all packets is 25,284 bytes.

      For details about flow log data, see VPC Flow Log Data.

Step 4: Configure Cloud Structuring Parsing and Analyze Visualized Logs for the VPC Flow Log

LTS allows you to search for and analyze collected logs and displays log analysis results in a visualized manner.
  1. Configure cloud structuring parsing.

    Table 5 shows the parameter settings in this example. For details, see Cloud Structuring Parsing.

    Figure 4 Configuring cloud structuring parsing
    Table 5 Parameters for configuring cloud structuring parsing

    Step

    Operation

    1

    Set the structuring mode to Delimiter.

    2

    Enter the VPC flow log:

    1 f0512a6441dc47189f5e03a428f48267 ef676eb6-0a0a-4939-85c9-9f8db1d1937c 192.168.0.66 192.168.1.31 8 0 1 585 57330 1739877133 1739877733 ACCEPT OK

    3

    Select Space as the delimiter.

    4

    Click Intelligent Extraction.

    5

    In the intelligent extraction field list, change the field name to the flow log parameters:

    version, project-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, and log-status
  2. Analyze the logs based on the cloud structuring parsing.
    The following shows two visualized log analysis methods:
    • Visualize logs in statistical charts. Statistical charts, such as tables, bar charts, and line charts, are rendered by LTS based on SQL query syntax.
      1. On the Log Analysis tab, enter the required statement in the search box by referring to Using SQL Analysis Syntax to obtain the required logs.

        The following takes the traffic of ECS-01 every hour as an example.

        SELECT TIME_FORMAT(TIME_CEIL(__time, 'PT1H'), 'yyyy-MM-dd HH:mm:ss') as "time", count(1) as pv group by "time"
      2. On the right of the page, configure the time and other information.

        In this example, you can view the hourly traffic data within a day. For more information about the statistical charts, see Statistical Charts.

        Figure 5 Traffic line chart
    • Visualize logs in dashboards. The dashboard is a real-time data visualization tool provided by LTS.
      1. Ingest VPC logs to LTS by referring to Ingesting VPC Logs to LTS.
      2. After VPC logs are ingested, choose Dashboards > VPC dashboard templates > VPC Flow Logs on the LTS console.

        Wait for a few minutes and view the log data. For more information about the dashboard, see VPC Dashboard Template.

        Figure 6 VPC flow log dashboard
Parent Topic: VPC Flow Log Configuration Examples